#!/usr/sbin/dtrace -s
/*
 * setuids.d - snoop setuid calls. This can examine user logins.
 *             Written in DTrace (Solaris 10 3/05).
 *
 * 18-Jun-2005, ver 1.00
 *
 *
 * USAGE:	./setuids.d
 *
 * FIELDS:
 *		UID	user ID (from)
 *		SUID	set user ID (to)
 *		PPID	parent process ID
 *		PID	process ID
 *		PCMD	parent command 
 *		CMD	command (full arguments)
 *
 * SEE ALSO: BSM auditing
 *
 * Standard Disclaimer: This is freeware, use at your own risk.
 *
 * 09-May-2004	Brendan Gregg	Created this.
 * 08-May-2005	   "      " 	Used modern variable builtins.
 */

#pragma D option quiet

/*
 * Print header
 */
dtrace:::BEGIN
{ 
	printf("%5s %5s %5s %5s %-12s %s\n",
	    "UID", "SUID", "PPID", "PID", "PCMD", "CMD");
}

/*
 * Save values
 */
syscall::setuid:entry
{
	self->uid = uid;
	self->suid = arg0;
	self->ok = 1;
}

/*
 * Print output on success
 */
syscall::setuid:return
/arg0 == 0 && self->ok/
{
	printf("%5d %5d %5d %5d %-12s %s\n",
	    self->uid, self->suid, ppid, pid,
	    stringof(curthread->t_procp->p_parent->p_user.u_comm),
	    stringof(curpsinfo->pr_psargs));
}

/*
 * Cleanup
 */
syscall::setuid:return 
{
	self->uid = 0;
	self->suid = 0;
	self->ok = 0;
}